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Introduction 


m Denial of Service (DoS) 

- Attack to disrupt the authorized use of 

networks, systems, or applications 
m Distributed Denial of Service (DDoS) 

— Employ multiple compromised computers 
to perform a coordinated and widely 
distributed DoS attack 

m DoSAttacks Affect: 

— Software Systems 

— Network Routers/Equipment/Servers 

— Servers and End-User PCs 
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DoS Single Source 

















How DDoS Attacks Work 


m incoming traffic flooding the victim 
Originates from many different 
sources — potentially hundreds of RE CANA 


thousands or more. Ku E3 . 
m effectively makes it impossible to "L 
stop the attack simply by blocking ely ely aa Target Server 


a single IP address; 


Operation of a DDoS attack 


> CELL) 

a 

legitimate user traffic from attack "om A 

traffic when spread across so many 2 lø 25 e Out of Resources 
Clean Traffic SERVICE OFFLINE | 


points of origin. 


m very difficult to distinguish 
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DDoS Headlines 











YIBADA Q 
HOME NEWS BUSINESS LIFE & CULTURE ENTERTAINMENT SPORTS COMMENT VIDEO 
Biggest hacks and data breaches of 2016, from Yahoo! breach to DDos attacks SUBSCRIBE 
E 
hacke Can I ms Biggest hacks and data breaches of 2016, from 
HOME > CON 
— Yahoo! breach to DDos attacks 
o Selene Sui | 2 AM ES 
G+ 128 
EDITORS PICK 
DI 














5 Decemb 













8 Dec 2016 


December 27, 2016 


NEWS 


George Michael's Wham! Concert in 
China Represented Enlightenment in the 
mid-1980s 





NEWS 


Song Joong-ki & Park Bo Gum Star in | 
New Line Pay Commercial + 





NEWS Dt (i 
Jiang Wen's Son Influences Decision to Es be. w 


Join ‘Rogue One: A Star Wars Story’ 








DDoS Attacks Based On 
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(Byproduct of other 
attack vectors) 
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DDoS Source & Targets 
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DDoS Web Application Attacks 
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Types of DDoS Attacks 


m Traffic attacks: Traffic flooding attacks send a huge volume of TCP, UDP 
and ICPM packets to the target. Legitimate requests get lost and these 
attacks may be accompanied by malware exploitation. 


= Bandwidth attacks: This DDoS attack overloads the target with 
massive amounts of junk data. This results in a loss of network 
bandwidth and equipment resources and can lead to a complete denial 
of service. 


m Application attacks: Application-layer data messages can deplete 
resources in the application layer, leaving the target's system services 
unavailable. 
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DoS Attacks Fast Facts 


Early 1990s: Individual Attacks single source. First DoS Tools 
Late 1990s: Botnets, First DDoS Tools 
Feb 2000: First Large-Scale DDoS Attack 


m CNN, Yahoo, E*Trade, eBay, Amazon.com, Buy.com 
2001: Microsoft's name sever infrastructure was disabled 
2002: DDoD attack Root DNS 
2004: DDoS for hire and Extortion 
2007: DDoS against Estonia 
2008: DDoS against Georgia during military conflict with Russia 
2009: Ddos on Twitter and Facebook 
2010: Ddos on VISA and Master Card 
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2000 DoS Attacks 


m InFeb 2000, series of massive DoS attacks 
— Yahoo, Amazon, eBay, CNN, E*Trade, ZDNet, Datek and Buy.com all hit 


m Attacks allegedly perpetrated by teenagers 
m Used compromised systems at UCSB 
m Yahoo: 3 hours down with $500,000 lost revenue 


m Amazon: 10 hours down with $600,000 lost revenue 


NetworkWorldFusion 


EBay, Amazon, Buy.com hit by attacks 
By Martyn Willarms 
IDG Mewes Service, 02/09/00 


A day after the U.S. Web sites of Yahoo were targeted with å derual of service attack, 
mazon com, eBay and Y Bot, GREP GENDE: similar attacka 
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2002 DNS DoS Attacks 


| ICMP floods 150 Kpps (primitive attack) 


| Took down 7 root servers (two hours) 
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2009 DDoS on Twitter 


m Hours-long service outage 
— 44 million users affected 


m Atthe same time Facebook, LiveJournal, and YouTube were under 
attacked 


— some users experienced an outage 


m Real target: a Georgian blogger 


Twitter Traffic Aug 6 


(As Seen From 55 ISPs in Internet Observatory) 


Fa 
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DDoS on Mastercard and Visa 


m December 2010 


m Targets: MasterCard, Visa, Amazon, Paypal, 
Swiss Postal Finance, and more 





z Dapback 


e Attack launched by a group of vigilantes called 
Anonymous (~5000 people) 
e DDoS tool is called LOIC or “Low Orbit lon Cannon” 
e Bots recruited through social engineering 


e Directed to download DDoS software and take instructions from a 
master 


e Motivation: Payback, due to cut support of WikiLeaks after their founder 
was arrested on unrelated charges 
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The new DDoS tool by Anonymous 


m New operation is beginning 
æ A successor of LOIC 


m Using SOL and .js vulnerability, remotely 


deface page 
m May be available in this September 2011 Vy 


WE ARE 
ANONYMOUS 





V for Vendetta 
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Operation Facebook 


E Announcement on YouTube to bomb 
Facebook on Nov. 5 2011 


m Facebook's privacy reveals issues 





Remember Remember poem 
Remember remember the fifth of 
November Gunpowder, treason and plot. I see 
no reason why gunpowder, treason Should ever 
be forgot... 


e Why Nov. 5? 
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DDoS Attack Classification 
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DOS attack list 


m Flood attack 

TCP SYN flood 

— UDP flood 

ICMP (PING) flood 

— Amplification (Smurf, Fraggle since 1998) 


m Vulnerability attack 
— Ping of Death (since 1990) 
— Tear Drop (since 1997) 
— Land (since 1997) 
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Flooding attack 


m Commonly used DDoS attack 


m Sending a vast number of messages whose processing consumes some key resource at 
the target 


m The strength lies in the volume, rather than the content 


m İmplications: 
m Thetraffic look legitimate 
m Large traffic flow large enough to consume victim's resources 


m High packet rate sending 
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Vulnerability DoS attack 


m Vulnerability : a bug in implementation or a bug in a default configuration of a service 
= Malicious messages (exploits) : unexpected input that utilize the vulnerability are sent 


m Consequences: 
m Thesystem slows down or crashes or freezes or reboots 
m Target application goes into infinite loop 


m Consumes a vast amount of memory 
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TCP SYN flood 
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Smurf attack 


= Amplification attack n 
Sends ICMP ECHO to network Honey! 1 think 


our network is 
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a having another | 
Amplified network flood smart attack! OG 


widespread pings with faked 
return address (broadcast 
address) 


Network sends response to victi 
system 





The "smurf" attack's cousin is 
called "fraggle", which uses UDP 
echo packets in the same fashion 


DoS : Smurf 








Ping Broadcast 
Src Addr : B 
Dst Addr : Broadcast 
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DoS : Fraggle 


A 









Infinite Loop! 


UDP Broadcast N 


src port: echo JP 





Src Addr : B 


dest port: chargen port 
Dst Addr : Broadcast 

















m Well known exploit Echo/Chargen 
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Ping of Death 


m Sending over size ping packet to victim 
— >65535 bytes ping violates IP packet length 
— Causes buffer overflow and system crash 

m Problem in implementation, not protocol 

m Has been fixed in modern OSes 
— Wasa problem in late 1990s 
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Teardrop 


m Abugintheir TCP/IP fragment reassembly code 
m Mangle IP fragments with overlapping, over-sized payloads to the target machine 


m Crash various operating systems 


Ist fragment énd fragment 
TT 


correct needed memory = 
case end-offset > O 


| | 


offset end 


Ist fragment 


and fragment 


= 
needed memory = 
incorrect end-offset < 0 
case 
end offset 
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LAND 


m ALAND (Local Area Network Denial) attack 
m First discovered in 1997 by “malt” 


— Effect several OS : 
m AIX3.0 
m FressBSD 2.2.5 
m IBMAS/400 057400 3.7 
m MacOS 7.6.1 
m SUN OS 4.1.3, 4.1.4 


m Windows 95, NT and XP SP2 


m IP packets where the source and destination address are set to address the same device 
— The machine replies to itself continuously 
— Published code land.c 
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LAND 





Attacker 
Both the source and destination Victim 
addresses are those of the victim. The 
source address in the IP header is 
| | spoofed, while the true source address The victim creates empty 
ESEJ remains hidden. connections with itself. 
Source Destination 800 Bytes 


| a The victim's available 
Source Destination 800 Bytes resources. 
+ å The empty 


connections are 
consuming the 


sw victim s resources, 
Source Destination 800 Bytes 


land attack 


All resources are 

consumed, which 

inhibits normal 

operations. 
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DDoS Defense 


December 27, 
2016 








Are we safe from DDoS? 


My machine are well secured 
— It does not matter. The problem is not your machine but everyone else 
| have a Firewall 
— It does not matter. We slip with legitimate traffic or we bomb your firewall 
| use VPN 
— It does not matter. We can fill your VPN pipe 
My system Is very high provision 
— It does not matter. We can get bigger resource than you have 
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Why DoS Defense is difficult 


m Conceptual difficulties 
— Mostly random source packet 


— Moving filtering upstream requires communication 


m Practical difficulties 
— Routers don’t have many spare cycles for analysis/filtering 
— Networks must remain stable—bias against infrastructure change 
— Attack tracking can cross administrative boundaries 


—  End-users/victims often see attack differently (more urgently) than network 
operators 


m Nonetheless, need to: 
— Maximize filtering of bad traffic 


— Minimize “collateral damage” 
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Defenses against DoS attacks 


m DoS attacks cannot be prevented entirely 
m |mpractical to prevent the flash crowds without compromising network performance 
m Three lines of defense against (D)DoS attacks 

— Attack prevention and preemption 

— Attack detection and filtering 

— Attack source traceback and identification 
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Attack prevention 


m Limit ability of systems to send spoofed packets 
— Filtering done as close to source as possible by routers/gateways 


— Reverse-path filtering ensure that the path back to claimed source is same as the 
current packet’s path 


m Ex:OnCisco router “ip verify unicast reverse-path” command 
m Rate controls in upstream distribution nets 
— On specific packet types 
— Ex: Some ICMP, some UDP, ICP/SYN 
m BlockIP broadcasts 
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Responding to attacks 


m Need good incident response plan 
— With contacts for ISP 
— Needed to impose traffic filtering upstream 
— Details of response process 


m Ideally have network monitors and IDS 
— To detect and notify abnormal traffic patterns 
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How are DDosS practically handled? 
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Router Filtering 
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Path via different interface? 











e Unicast Reverse Path Forwarding 


== Router B 





Check source In 
routing table 








e [Does routing back to the source go through same interface ? 


© Cisco interface command: ip verify unicast rpf 
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Black hole Routing 
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al, MS E Sn SS ON a peering 
© ARR (Ra) 
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Blackhole in Practice (I) 
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Blackhole in Practice (ll) 
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Blackhole in Practice (lll) 


Hijack traffic = BGP 
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DDoS Attack Trends 


m Attackers follow defense approaches, adjust their code to bypass 
defenses 


m Use of subnet spoofing defeats ingress filtering 


m Use of encryption and decoy packets, IRC or P2P obscures master- 
slave communication 


m Encryption of attack packets defeats traffic analysis and signature 
detection 


m Pulsing attacks defeat slow defenses and traceback 


m Flash-crowd attacks generate application traffic 
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Conclusion 


m No matter how secure a system is or good defense techniques has been used it is not 
possible to completely prevent DDoS Attack. 


m 75% of Web Application attacks targeted US sites 
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DoS Attack Demo 


DDOS pu.edu.np 


-\Users\ShivakStha>ping pu.edu.np 


EN Pinging pu.edu.np [162.222.226.195] with 32 bytes of data: 
Å st timed Ec 
DDOS pu.edu.np peque imed ou 


DDOS pu.edu.np 


DDOS pu.edu.np 
DDOS pu.edu.np 
å i i 


PHP Training DDOS Dem... 
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